Front Stage's Booking application is going live in the near future. Before promoting the application to production, a security review is required. Any security risks that are found require a review.
Perform a security review of Front Stage's Booking application by using the security checklist. Provide recommendations to strengthen the security of the application.
Some changes can be implemented directly in the development environment, while others are configured when the application has been promoted to the production environment. Create a list of configuration tasks that need to be carried out when the application has been promoted to other environments for changes that cannot be implemented in the development environment.
1 Tasks to perform on the development environment
- Disable unneeded out-of-the-box operators.
- Change passwords for used out-of-the-box operators.
- Fix any issues found by the security analyzer.
- Fix any security issues in the Guardrail report.
- Ensure that timeouts are set up at the application server level, requestor level, and Access Group level that are of an appropriate length.
- Ensure that the Unauthenticated Access Group has the minimum required access to rules.
- Add the
<env name="alerts/suppressalerts" value="true" />setting to the prconfig.xml file to ensure that sensitive property values, such as customer account numbers or Social Security numbers, do not appear in the Alert log.
- In each ruleset version, on the Security tab, select Lock this Version, and enter a password.
- In each ruleset rule, on the Security tab, select Use checkout? and enter three distinct passwords to limit the ability to add versions, update versions, and update the ruleset rule itself.
- Apply the correct type for all properties.
- Apply privileges across all the relevant rules (flow actions, reports, flows).
- Review the Unauthenticated access group to make sure that it has the minimum required access to rules.
2 Tasks to perform outside of the development environment
- Update prconfig settings.
- Update dynamic system settings.
- Remove any unnecessary resources/servlets from the web.xml, and renaming default servlets where applicable, particularly PRServlet.
- If using https, ensure that testing environments are available to test with SSL enabled.
- Ensure that the system has been set up using a JDBC connection pool approach through the application server, rather than the database being set up in the prconfig.xml.
- Rename and deploy the prhelp.war once per environment (potentially on its own node to avoid being able to pick up the endpoint URL from the pop-up window).
- Rename and redeploy the prweb.war for each node.